Summary
Payload is a Windows ransomware family that encrypts files with ChaCha20 and uses a per-file Curve25519 ECDH exchange, then appends the .payload extension to impacted data. The malware drops a RECOVER_payload.txt ransom note, creates its own log file, and applies several anti-forensic measures, including ETW patching, deletion of VSS shadow copies, clearing of event logs, and termination of selected processes and services. First seen in February 2026, the group rapidly expanded its victim base across several continents, with notable focus on logistics, real estate, and manufacturing organizations. The operators also rely on Tor onion sites for victim communication and data leak publication.
Investigation
The analysis explains the ransomware’s cryptographic workflow, including creation of a fresh 32-byte victim private key, derivation of a shared secret through Curve25519, and direct use of that shared secret as the ChaCha20 encryption key. File encryption is carried out through I/O Completion Ports and concludes with a 56-byte RC4-encrypted footer that contains the victim public key and a constant FBI marker. Its anti-forensic behavior includes in-memory ETW patching, shadow copy deletion via vssadmin, and removal of Windows Event Logs. Researchers also found a predefined kill list of processes and services that the ransomware stops before launching encryption.
Mitigation
Defenders should monitor for the MakeAmericaGreatAgain mutex, newly created .payload files, and the presence of the RECOVER_payload.txt ransom note. Restricting execution of vssadmin.exe and blocking known Tor onion addresses associated with the group can reduce the effectiveness of its anti-forensic and communication methods. Endpoint protections should also detect ETW patching, suspicious NT API file I/O activity, and forced termination of important services. Maintaining regular offline backups and limiting dependence on shadow copies can further reduce business impact.
Response
If Payload ransomware is detected, isolate the affected host from the network immediately, preserve volatile memory, and collect relevant logs for analysis. Investigators should identify and terminate any remaining malicious processes, then prioritize restoration from verified clean backups. If backups are not available, recovery efforts may use the supplied decryption keys together with the embedded RC4 footer to attempt file restoration. Relevant indicators should be shared with threat intelligence teams, and the associated Tor onion infrastructure and any linked command-and-control assets should be blocked.
Click Here For The Original Source.
